jonen/notes/notes_2004-06.twingle

<hr/>

 Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
  - read:
     http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
     http://www.sdc.org/~leila/usb-dongle/readme.html
     http://www.kerneli.org/howto/node3.php
     http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
     http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
  - updated/new packages needed for 2.6:
        coreutils
        modconf
        modutils
        module-init-tools
    #: apt-get install modutils modconf module-init-tools coreutils -t testing    
  - updated/new packages needed for aes-cryptoloop:
        loop-aes-utils
        util-linux (testing)
  - new packages needed for crypto-swap script:
        sharutils (uuencode)
  - create encrypted fs:
      echo ${PASSPHRASE} | losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
    - with special seed:
      echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
  - for crypto-swap, try this script:
    #------------------------ crypto-swap begin ------------------------------------
    #!/bin/sh
    # Run this script somewhere in your startup scripts _after_ random
    # number generator has been initialized and /usr has been mounted.
    # (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)

    # encrypted swap partition
    SWAPDEVICE=/dev/hda3

    # loop device name
    LOOPDEV=/dev/loop6

    MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
    for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
        dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
        sync
    done
    UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
        | uuencode -m - | head -n 2 | tail -n 1`
    echo ${MD}${UR} | losetup -p 0 -e aes-256-cbc  ${LOOPDEV} ${SWAPDEVICE}
    MD=
    UR=
    dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
    sync
    mkswap ${LOOPDEV}
    sync
    swapon ${LOOPDEV}
    #------------------------ crypto-swap end --------------------------------------
  
  - mounting encrypted file sytems at boot-time
   - for interactive key-passphrase, add following at /etc/fstab:
       /dev/hda6   <mount-point>   <fs-type>   defaults,loop=/dev/loop6,encryption=AES256   0   0
     
     with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
    
  - with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
   - create follwing script at '/etc/init.d/prepare-cryptofs.sh':
    #------------------------ prepare-cryptofs.sh begin ------------------------------------
    #!/bin/sh
    # encrypted partition
    DEVICE=/dev/hda3
    # loop device name
    LOOPDEV=/dev/loop3

    PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
    SEED="NUmdxSWIbPdYijbdo/0v"

    case "$1" in
      start)
        echo "Setting up loop devices used for crypto-fs..."
        echo ${PASSPHRASE} | losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
      ;;
      stop)
        echo "Deleting loop device used for cryptofs..."
        losetup -d ${LOOPDEV}
      ;;
      *)
        echo "usage: $0 {start|stop}"
        exit 1
    esac
    exit 0
    #------------------------ prepare-cryptofs.sh end --------------------------------------
   
<hr/>
$Id: notes_2004-06.twingle,v 1.1 2004/06/02 22:45:38 jonen Exp $
  
1	jonen	1.1	<hr/>
2
3			Debian-stable and AES-loop(crypto-api) file-system encryption(kernel 2.6.x):
4			- read:
5			http://www.mirrors.wiretapped.net/security/cryptography/filesystems/loop-aes/loop-AES.README
6			http://www.sdc.org/~leila/usb-dongle/readme.html
7			http://www.kerneli.org/howto/node3.php
8			http://www.linuxsecurity.com/docs/HOWTO/Encryption-HOWTO/
9	jonen	1.2	http://debid.vlsm.org/share/HOWTO/Encrypted-Root-Filesystem-HOWTO
10	jonen	1.1	- updated/new packages needed for 2.6:
11			coreutils
12			modconf
13			modutils
14			module-init-tools
15			#: apt-get install modutils modconf module-init-tools coreutils -t testing
16			- updated/new packages needed for aes-cryptoloop:
17			loop-aes-utils
18			util-linux (testing)
19			- new packages needed for crypto-swap script:
20			sharutils (uuencode)
21			- create encrypted fs:
22			echo ${PASSPHRASE} \| losetup -p 0 -e aes-256 ${LOOPDEV} ${DEVICE}
23			- with special seed:
24			echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
25			- for crypto-swap, try this script:
26			#------------------------ crypto-swap begin ------------------------------------
27			#!/bin/sh
28			# Run this script somewhere in your startup scripts _after_ random
29			# number generator has been initialized and /usr has been mounted.
30			# (md5sum, uuencode, tail and head programs usually reside in /usr/bin/)
31
32			# encrypted swap partition
33			SWAPDEVICE=/dev/hda3
34
35			# loop device name
36			LOOPDEV=/dev/loop6
37
38			MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null \| md5sum`
39			for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do
40			dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 conv=notrunc 2>/dev/null
41			sync
42			done
43			UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \
44			\| uuencode -m - \| head -n 2 \| tail -n 1`
45			echo ${MD}${UR} \| losetup -p 0 -e aes-256-cbc ${LOOPDEV} ${SWAPDEVICE}
46			MD=
47			UR=
48			dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null
49			sync
50			mkswap ${LOOPDEV}
51			sync
52			swapon ${LOOPDEV}
53			#------------------------ crypto-swap end --------------------------------------
54
55			- mounting encrypted file sytems at boot-time
56			- for interactive key-passphrase, add following at /etc/fstab:
57			/dev/hda6 <mount-point> <fs-type> defaults,loop=/dev/loop6,encryption=AES256 0 0
58
59			with this method you have to enter your passphrase at boot-time (when the encrypted fs will be mounted)
60
61			- with use of init script (WARNING: password/seed have to be written in PLAINTEXT!!):
62			- create follwing script at '/etc/init.d/prepare-cryptofs.sh':
63			#------------------------ prepare-cryptofs.sh begin ------------------------------------
64			#!/bin/sh
65			# encrypted partition
66			DEVICE=/dev/hda3
67			# loop device name
68			LOOPDEV=/dev/loop3
69
70			PASSPHRASE="WSyPeR1gh07fvoyNZjtxo7Y6F4o="
71			SEED="NUmdxSWIbPdYijbdo/0v"
72
73			case "$1" in
74			start)
75			echo "Setting up loop devices used for crypto-fs..."
76			echo ${PASSPHRASE} \| losetup -p 0 -S ${SEED} -e aes-256 ${LOOPDEV} ${DEVICE}
77			;;
78			stop)
79			echo "Deleting loop device used for cryptofs..."
80			losetup -d ${LOOPDEV}
81			;;
82			*)
83			echo "usage: $0 {start\|stop}"
84			exit 1
85			esac
86			exit 0
87			#------------------------ prepare-cryptofs.sh end --------------------------------------
88
89			<hr/>
90	jonen	1.2	$Id: notes_2004-06.twingle,v 1.1 2004/06/02 22:45:38 jonen Exp $
91	jonen	1.1
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26